I'm looking for possibilities to have a Keycloak realm key be stored in an HSM and be loaded into memory on startup.
At the moment I can see the standard realm keys which are stored "unprotected" in the Keycloak integrated database. I have also found this discussion from 2016 [1] that suggests to implement encryption/signature SPIs to make encrypting/signing happen inside an HSM. This was also implemented as far as I see it [2].
However for the case of a login with signed access token this would require communication with the HSM every time a token is issued, which would - for a greater number of applications and users - cause serious impact on the duration of a login procedure.
If we want to circumvent this we could have a startup procedure that loads the realm keys from the HSM on startup and then keeps them in memory. But I could not find anything about such a feature being present or event considered. Is there any feature in this direction?
[1] https://lists.jboss.org/pipermail/keycloak-dev/2016-February/006610.html
[2] e.g. https://www.keycloak.org/docs-api/22.0.1/javadocs/org/keycloak/crypto/SignatureSpi.html
